Configuration Settings Management FAQ

What is the Configuration Settings Management (CSM) Security Capability?

The CSM CDM Security Capability is a grouping of security controls that are employed to:

  • Address the need to track and manage configuration settings of assets within an organization.
  • Mitigate attacks that require successful exploitation of default or poor configuration settings to compromise a device or system.
  • Prevent or minimize software from executing or processing potentially malicious or malformed input.
  • Stop or delay the compromise of devices due to misconfigurations.
  • Stop or delay expansion or escalation via software vulnerabilities.

What security results should we be able to achieve by implementing the CSM security capability?

CSM identifies misconfigurations to allow an organization to mitigate attacks that require successful exploitation of default or poor configuration settings to compromise a device or system. Effective implementation of CSM helps ensure security configuration settings are specified, validated and managed.

What type of security issues are addressed by the CSM security capability?

Attacks against configuration settings exploit functionality in software or hardware, rather than flaws in the software or hardware. While attacks that exploit vulnerabilities in software (managed by Vulnerability Management) deal with bugs in software's source code and method of operation, attacks against configuration settings exploit default or "out-of-the-box" settings, or misconfigurations caused by administrators who incorrectly configure permissions to a resource. Attackers first seek out assets with default configurations, such as the default admin password on a service, for easy access into other systems. It is the easiest way for an attacker to exploit a network.
Not all vulnerable configuration settings are due to "out-of-the-box" settings. During troubleshooting efforts, administrators sometimes change permissions on files or services to ensure the security settings are not interfering with the execution of a program or service. When inadvertently left in place, these configuration changes can leave the modified application open to attack and exploitation.
Because poorly configured systems provide attackers with easy targets of opportunity due to quick access to elevated privileges or known default settings, a rigorous configuration settings management process and policies can help identify poor and unsecure configuration settings. As a result, attackers frequently compromise devices by finding and exploiting weaknesses.

What can I do to reduce my exposure to attacks exploiting poor configurations settings management?

Once the organization has identified the differences between Actual and Desired States, it is able to understand the differences and determine the appropriate corrective actions, such as:
Develop more accurate Desired State specifications:

  • Establishing and maintaining configuration inventories
  • Establishing and updating baseline configurations for systems
  • Having processes in place to make changes in a controlled and approved fashion

Manage deployed configurations and monitor changes:

  • Auditing changes in place against those established in the inventory or baseline
  • Having a controlled process for exceptions with periodic review
  • Having automated mechanisms to centrally manage, apply, and verify configurations
  • Establishing non-persistent settings to protect against unauthorized changes

In addition, the response options listed below may help when defects are found between CSM Actual and Desired States:

Defect TypeDetection RuleResponse Options
Unapproved settingSetting exists in the Actual State and is assigned a positive risk score in the Desired State.Change setting or accept risk score OR go through change management and approve setting.
Non-reporting devicesThe device is in the HWAM Desired or Actual State, but not in the CSM Actual State with sufficiently timely data.Restore reporting or declare the device missing/uninstalled/retired in HWAM

How does the CSM security capability define a configuration setting?

A configuration setting is a piece of metadata about software or hardware that determines how it functions. The value can be changed by an administrator (with proper permissions). A configuration setting can take the form of a default password in a SAM file (in the case of the Windows Operating System), a registry key, or a line in a configuration file that is used by a program when executed. A configuration setting can also take the form of privileges (such as file/folder permissions) that must be set by an administrator.
Hardware Asset Management (HWAM) and Software Asset Management (SWAM) support CSM by providing a reliable inventory of hardware and software assets to check for known issues.

How does the CSM security capability support ongoing automated assessments as defined by NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organization?

Determining the difference between Desired State and Actual State for CSM is provided by routine checks on end devices and the verification of configuration compliance status. CDM requires that device state information be returned for some failed checks, changing how the current tools and processes perform configuration settings management. The act of collecting the data is still the comparison of what the configuration should be against what the configuration is actually set to. Configuration checks must be written in machine-readable code to prevent subjectivity, allowing only for pass or fail decisions.
The following is an example of how the assessment for misconfigurations can be automated:

  • The Actual State is a list of configurations from the hardware and software assets on the network. The Actual State can be collected automatically using sensors deployed through-out the environment to collect hardware and software configurations required for comparison.
  • The Desired State specification is a list of what configurations should be for the hardware and software assets on the network.
  • Defects can be found through computing the differences between Actual State and Desired State. The analysis tool determines if there is a difference between what should be (Desired State) the configuration setting and what actually is (Actual State) the configuration setting.

What data should I collect to support the CSM security capability?

The Actual State inventory for CSM is a listing, by discovered device, with all collected configuration settings from each device in your D/A. The minimal CSM data recorded for the Actual State should include the following:

Data ItemJustification
Expected CPE (vendor, product, version, release level) or equivalent for each settingFor defining device types, for supply chain management, and to know what CCEs may apply to the device.
Version of the configuration guideline/rule set used for each settingFor documenting the version of guideline/rule set all comparisons were made against.
Date/Time of Data Collection for each settingFor documenting point in time the checks were accomplished.
Device settings were collected from each settingFor identifying the device checked.
What must be returned to show current status for each settingFor identifying current status for each setting

The Desired State specification is the authorized configurations defined for authorized software and hardware products in your organization. Every authorized device has a role, and each role requires a baseline configuration. Each organization should have an inventory, by device, documenting the authorized configuration and thus configuration settings for each device in your enterprise. The organization must decide what software must be protected, and which settings to include in CSM. The minimal configuration settings management data recorded for the Desired State should include the following:

Data ItemJustification
Applicable CPE (vendor, product, version, release level) or equivalentFor defining device types, for supply chain management, and to know what CCEs may apply to the device.
Approved baseline configuration version for each settingFor tracking version of baseline configurations
CCE configuration to be followed for each settingFor identifying which CCEs to configure the device to local D/A settings in addition to baseline configuration settings For identifying local D/A requirements beyond baseline configuration settings
What is to be configured for each setting (registry, password, privilege, etc.)For identifying what needs to be checked for compliance.
The validation rule to check for each settingTo identify the check to be run on the metadata of the setting
What constitutes compliance for each settingTo document the definition of compliance for the particular setting

How can I identify managers to support the CSM security capability?

The manager(s) for hardware and software configurations are the group of persons who have authority and responsibility to manage the hardware and software assets. Authority and responsibility means, at a minimum, having the right administrator privileges on the asset to effectively manage the asset.

How can we prevent unauthorized configurations from getting on the network in the first place?

The most effective way to minimize exposure to poor configuration settings is to establish processes and procedures to routinely check, review, and report configuration settings on all assets on the network. Effective options include:

  • Establishing and maintaining a secure image
  • Establishing and maintaining approved configurations checklists
  • Determining actual configurations and comparing them with authoritative approved configurations. If differences are observed, understanding the delta and determining appropriate corrective actions
  • Establishing processes for quickly remediating discovered discrepancies, including identified CSM defects

How does CSM support the other CDM security capabilities?

CSM relies on HWAM and SWAM security capabilities to provide a reliable inventory and specification for all in- scope hardware and software assets in the environment. Implementation of HWAM and SWAM will identify the hardware and software assets actually on the network. The CDM CSM process will leverage the asset information to collect and/or verify the state or values of configuration attributes necessary to determine compliance to configuration policy specifications. Just like the other CDM capabilities, network, software and hardware asset monitoring will need to be implemented in order to check and manage configuration settings.